Privacy Policy — Eco Heroes Academy

This Privacy Policy explains how Eco Heroes International SL ("we", "us", "the Academy") collects, uses, stores, and protects your personal data when you use the Eco Heroes Academy learning platform at learn.eco-heroes.org. It is the Article 13 disclosure required by Regulation (EU) 2016/679 (GDPR).

We've written this in plain language. Where the law requires a specific term, we use it and explain what it means.

Contents

Who we are
What data we collect and why
Who we share data with
International data transfers
How long we keep your data
Your rights under GDPR
Security
Cookies
Children
Automated decision-making and profiling
Changes to this policy
Contact & supervisory authority

1. Who we are

The Data Controller under GDPR Article 4(7) is:

Eco Heroes International SL
CIF: B44915940
Registered office: Girona, Catalonia, Spain
Contact for data protection matters: info@eco-heroes.org

Eco Heroes Academy (the "Academy") is our online learning platform providing sustainability training for tourism professionals, structured around the seventeen United Nations Sustainable Development Goals.

In plain language: we are the Spanish company that decides what personal data is collected on the Academy platform and what we do with it. If you have any question about your data, write to info@eco-heroes.org.

2. What data we collect and why

We only collect what we need to run the Academy. Here's the full list:

2.1 Account data

When you register an account, we collect:

Email address — to identify you, log you in, send verification and transactional emails.
Password — stored only as a bcrypt hash; we cannot read your password, only verify that you know it.
First name and (optionally) last name — to personalise the interface and to print on your Diploma.
Role — one of eight tourism professional roles (management, reception, administration, kitchen, food & beverage, housekeeping & maintenance, guides, outdoor & wellness). Used to present you with the relevant role-specific course variants.
Preferred language — to display the Academy interface in your chosen language.
Country (optional, two-letter ISO code) — for anonymised usage statistics by region and for applying correct VAT at checkout.
Consent records — the version of the Terms of Service and this Privacy Policy you accepted at registration, together with the timestamp of acceptance.

Legal basis (GDPR Article 6): performance of the contract between you and us (Article 6(1)(b)) for account setup and course delivery; legal obligation (Article 6(1)(c)) for keeping records of consent.

2.2 Learning Progress Data

As you use the Academy, the platform records:

Which SDG courses and modules you have opened.
Quiz attempts — the questions shown, the answers you gave, the score, and the timestamp.
Module completion status per SDG and per role track.
The date and identifier of any Diploma issued to you.

This is the data that makes the platform work: it lets you resume where you left off, gates access to modules that require a prior module's pass, and determines when you have earned your Diploma.

Legal basis: performance of the contract (Article 6(1)(b)).

2.3 Payment data

When you purchase access (or an Organisation purchases Licence Seats for you), we record:

The product purchased, amount paid, currency, and VAT applied.
A Stripe payment identifier linking the purchase to your account.
Invoice details as required by Spanish tax law.

We do not store card numbers, CVV codes, or bank details. Payments are processed directly by Stripe, Inc. under their own privacy policy and under PCI-DSS certification. We only see the high-level purchase record.

Legal basis: performance of the contract (Article 6(1)(b)) and legal obligation for accounting records (Article 6(1)(c)).

2.4 Technical data

When you interact with the Academy, our web server automatically records:

Your IP address — used at the moment of a login attempt for rate-limiting (so attackers cannot brute-force your password).
Your browser type and operating system — for compatibility debugging.
Session cookie identifier — required to keep you logged in (see Section 8).
HTTP error logs — when something goes wrong, for us to debug.

Legal basis: our legitimate interest (Article 6(1)(f)) in securing the platform against abuse and in maintaining service reliability. This legitimate interest does not override your fundamental rights because the data is minimal, used for security and debugging only, retained briefly, and never used for marketing profiling.

2.5 What we deliberately do NOT collect

The Academy is designed to be data-minimal. We do not collect:

Your date of birth beyond the 18+ age-gate at registration (which is a self-declaration, not a stored birth date).
Your employer's name, unless you are part of an Organisation Licence (in which case the Organisation tells us).
Your location beyond the country code you optionally provide (no GPS, no IP geolocation beyond what's used for VAT rate selection).
Analytics profiling data — we do not run Google Analytics, Facebook Pixel, or similar third-party tracking on the Academy.
Marketing preferences — we do not send marketing emails. Only transactional emails (verification, password reset, Diploma ready).

3. Who we share data with

We share the minimum data needed with a short list of processors who help us run the Academy. Each is bound by a Data Processing Agreement under GDPR Article 28.

Processor	Purpose	Data shared	Location
Hetzner Online GmbH	Hosting of the platform (server, database, email log storage)	All account + Learning Progress Data (encrypted at rest, under our control)	Germany (EU)
Resend (Resend, Inc.)	Delivery of transactional email (verification, password reset, Diploma-ready)	Email address, first name, template content	United States (see Section 4)
Stripe, Inc.	Payment processing	Payment amount, currency, customer email, transaction metadata	Ireland (EU) for EU customers
OpenProvider	Domain name registration	No end-user data — only our own registrant details	Netherlands (EU)

We do not sell personal data. We do not share personal data with advertisers, data brokers, or analytics networks. We do not share data with law enforcement except under a binding legal order.

If an Organisation purchases Team or Licence Seats for its employees, that Organisation receives progress reports and completion certificates for its own staff (necessary to administer the training it paid for). We tell you, at registration via Licence Seat, exactly what your employer will see.

4. International data transfers

One of our processors, Resend, operates servers in the United States. When we send you a transactional email, your email address and the email content are transferred there.

This transfer is covered by the Standard Contractual Clauses (SCCs) adopted by the European Commission in Implementing Decision (EU) 2021/914, which are signed between us and Resend. Resend is also self-certified under the EU-U.S. Data Privacy Framework adopted by the Commission's adequacy decision of 10 July 2023.

All other processors (Hetzner, Stripe for EU customers, OpenProvider) operate within the EEA.

If we add a new processor or a new destination outside the EEA, we will update this Privacy Policy and notify registered Learners at least thirty (30) days in advance by email.

5. How long we keep your data

Data	Retention	Reason
Account data (email, name, password hash, role, language, country)	For the life of the account, plus 5 years after deletion or final activity	To allow re-issuance of Diplomas on request; standard Spanish training record retention.
Learning Progress Data	5 years after last activity on the account	To provide continuous evidence of completion and to allow resumption after extended breaks.
Diploma issuance records (minimal: Diploma ID, name, date, track)	Permanent	To allow third parties to verify the authenticity of a Diploma indefinitely.
Payment and invoicing records	6 years	Spanish tax law (Código de Comercio, Article 30).
Technical logs (IP address, browser, HTTP errors)	90 days	Security and debugging. After 90 days the logs are rotated and deleted.
Login attempt records (for rate limiting)	1 hour after the attempt	Only needed for the active rate-limit window; deleted automatically.
Consent records (which Terms / Privacy version you accepted, and when)	Permanent	To evidence lawful basis for processing under GDPR.

When you delete your account (see Section 6, Right to Erasure), we remove all personal data from the Academy platform except:

The minimal Diploma issuance record (ID, name, date, track) — because this is a statement about the world that was true at a point in time, and deleting it would break verification for third parties who hold your Diploma in good faith.
Invoice and payment records we are legally required to keep for 6 years under Spanish tax law.
The consent record, anonymised if possible.

6. Your rights under GDPR

As a data subject, you have the following rights. You can exercise any of them by writing to info@eco-heroes.org. We respond within thirty (30) days.

Right of access (Article 15) — to receive a copy of all personal data we hold about you.
Right to rectification (Article 16) — to correct inaccurate or incomplete data. You can do most of this yourself in your account settings.
Right to erasure (Article 17) — also known as "the right to be forgotten". We will delete your account and associated data, subject to the legal retention carve-outs listed in Section 5.
Right to restriction (Article 18) — to freeze processing while we investigate a dispute over accuracy or lawfulness.
Right to data portability (Article 20) — to receive your data in a structured, machine-readable format (JSON, CSV, or PDF, at your choice) and to have it transmitted to another controller if technically feasible. See also Article 25 of the EU Data Act, which gives you the same right with the same formats specifically for the termination of the Service.
Right to object (Article 21) — to object to processing based on legitimate interests. In practice this only applies to the technical logs in Section 2.4; the rest of the processing is based on contract performance or legal obligation and cannot be objected to without ending the service.
Right not to be subject to automated decision-making (Article 22) — see Section 10. The Academy does not make automated decisions that have legal or similarly significant effects on you.
Right to withdraw consent — where we process data based on consent (only the optional country-code field is in this category), you can withdraw consent at any time with no penalty. Withdrawal does not affect the lawfulness of processing before withdrawal.
Right to lodge a complaint — see Section 12.

7. Security

We take security seriously. Concrete measures:

Passwords are hashed with bcrypt (work factor 10) and salted. We cannot read them, only verify them.
Transport — all traffic to the Academy is forced over HTTPS (TLS 1.2+). HSTS is enabled with a 2-year max-age and preload.
Data at rest — the database lives on a Hetzner server with full-disk encryption.
Access control — only the Provider's operators have database access, via SSH-key-authenticated connections.
Session security — session cookies are HttpOnly, Secure, and SameSite=Strict. Session IDs are regenerated on login to prevent fixation.
Rate limiting — the login endpoint rate-limits by (IP, email) and by IP alone to prevent brute-force and credential stuffing.
Security headers — HSTS, X-Frame-Options, Content-Security-Policy, Referrer-Policy, Permissions-Policy, Cross-Origin-Opener-Policy are all set.
Input validation — all database queries use parameterised prepared statements. User input is sanitised or escaped at the point of output.
CSRF protection on all state-changing requests.

In the unlikely event of a personal data breach that poses a risk to your rights and freedoms, we will notify the Spanish supervisory authority (AEPD) within 72 hours and, if the risk is high, you directly without undue delay, in accordance with Articles 33 and 34 GDPR.

8. Cookies

The Academy uses only strictly necessary cookies. These do not require consent under ePrivacy Directive 2002/58/EC.

Cookie	Purpose	Duration	Type
PHPSESSID	Keeps you logged in during your session	Until browser close (or 30 days if you ticked "Keep me signed in")	Strictly necessary
csrf_token (in session)	Protects forms against cross-site request forgery	Same as session	Strictly necessary

We do not use Google Analytics, Facebook Pixel, advertising cookies, third-party tracking, or persistent identifiers beyond what is listed above.

If we ever add analytics or tracking cookies, we will present you with a cookie consent banner compliant with the AEPD guidance on cookies (October 2023) before any non-essential cookie is set.

9. Children

The Academy is a professional training platform and is not directed at children. Our Terms of Service require registrants to be at least 18 years of age.

If we become aware that we have inadvertently collected personal data from a person under 18, we will delete it promptly. If you are a parent or guardian and believe your child has created an Academy account, please contact info@eco-heroes.org.

10. Automated decision-making and profiling

The Academy does not make automated decisions about you that have legal or similarly significant effects, within the meaning of GDPR Article 22.

We do the following, which some might describe as "algorithmic" but which we want to be explicit about:

Quiz scoring — a quiz is graded automatically against the correct answers. If you pass, you progress; if you don't, you retake. This is a self-paced training exercise, not a significant decision about you. You can retake any quiz.
Login rate limiting — if too many failed attempts occur from your IP or against your email in a short window, further attempts are silently delayed. This is a security measure, not a significant decision. It self-clears after 15 minutes.
Role-based content selection — we present SDG course variants matched to the role you selected at registration. You can change your role at any time in account settings to see the variants for another role.

None of these use machine learning, predictive analytics, or inference about your behaviour. They are deterministic: the same input always produces the same output.

11. Changes to this policy

We may update this Privacy Policy from time to time. When changes are material:

We notify registered Learners at least thirty (30) days before the changes take effect, by email and by a notice on the platform.
If you do not agree with the changes, you may terminate your account in accordance with Section 9 of the Terms of Service, without penalty, before the changes take effect.
Continued use of the Academy after the effective date of the changes constitutes acceptance of the updated Policy.

The current version of this Policy is always available at learn.eco-heroes.org/legal/privacy.html. Your consent at registration is recorded against a specific version number.

12. Contact & supervisory authority

12.1 Contact us first

For any question or request about your personal data, please write to:

Eco Heroes International SL
Girona, Spain
info@eco-heroes.org

We respond to data-protection requests within thirty (30) days.

12.2 Lodge a complaint with a supervisory authority

You always have the right to lodge a complaint with a data protection supervisory authority, in particular in the EU Member State where you live, where you work, or where the alleged infringement took place.

The supervisory authority for Eco Heroes International SL is:

Agencia Española de Protección de Datos (AEPD)
C/ Jorge Juan, 6
28001 Madrid, Spain
www.aepd.es

The AEPD's online complaint procedure is available in Spanish and English.

This Privacy Policy was last updated on 22 April 2026 (version 1.0). The most current version is always available at learn.eco-heroes.org/legal/privacy.html.